SSH-CERTD(8)                   SSH2                  SSH-CERTD(8)

       ssh-certd  - Secure Shell Certificate Validator on z/OS

       ssh-certd [-d debug_level_spec] [-f config_file]
       [-o options] [-l listener-path] [-F] [-v] [-V] [-q]

       ssh-certd (Secure Shell Certificate Validator) is a common
       process  for  validating  certificates,  used primarily by
       sshd2 when validating user certificates. Without a  common
       place  for  the  validations,  all the data needed for the
       validation would need to be duplicated  in  every  process
       doing  the  validations.  This  would  be very inefficient
       especially in cases where very large CRLs are to be  used.
       ssh-certd  allows  CRLs  and  CA certificates to be loaded
       only once and then used for all subsequent validations.

       ssh-certd  is  normally  started   at   boot   time   from
       /etc/rc.local or equivalent. It opens a listener socket by
       default   at  /opt/tectia/var/run/ssh-certd-listener.  The
       location  of  the  listener  can   be  changed   with  the
       CertdListenerPath keyword of sshd2_config.

       ssh-certd  can be configured using command-line options or
       a configuration file.  Command-line options override  val-
       ues  specified in the configuration file.  ssh-certd reads
       configuration data  from  /opt/tectia/etc/ssh_certd_config
       (or the file  specified  with -f on the command line).  By
       default, the configuration file contains only the  keyword
       UseSSHD2ConfigFile,  which instructs ssh-certd to read the
       specified sshd2 configuration file in compatibility  mode,
       where  the  configuration  options  of  sshd2 are silently
       ignored, and only the options relating to  certificate  or
       general daemon configuration are read.

       -d debug_level_spec
              Debug  mode.  The server sends verbose debug output
              to stderr. This option is only intended for  debug-
              ging for the server.  The debugging level is either
              a number, or a comma-separated list of  assignments
              of  the format ModulePattern=debug_level, for exam-
              ple "*=10,sshd2=2".  This should be the first argu-
              ment on the command line.

       -f configuration_file
              Specifies  the name of the configuration file.  The
              default is  /opt/tectia/etc/ssh_certd_config.  Note:
              If this   is   specified, the  default configuration
              file is not read at all.

       -o 'option'
              Can be used to give options in the format  used  in
              the configuration files.  This is useful for speci-
              fying options for which there is no  separate  com-
              mand-line  flag.  The option has the same format as
              a line in the configuration  file.   Comment  lines
              are  not  accepted.   Where applicable, egrep regex
              format is used.

       -l listener-path
              Specifies the path where the server will  open  the
              listener socket.

       -F     Disables  daemon mode.  The server does not spawn a
              new process to the background.

       -v     Enables verbose mode.  Displays  verbose  debugging
              messages.   Equal to -d 2.  This option can also be
              specified in the configuration file.

       -V     Displays version string.

       -q     Quiet mode.  Nothing is sent  to  the  system  log.
              Normally  the beginning, authentication, and termi-
              nation of each connection is logged.   This  option
              can also be specified in the configuration file.

       ssh-certd      reads      configuration      data     from
       /opt/tectia/etc/ssh_certd_config (or the file specified with -f
       on  the  command  line).   The file contains keyword-value
       pairs, one per line.  Lines starting with  '#'  and  empty
       lines are interpreted as comments.

       For  the  format  of  ssh_certd_config, see ssh_certd_con-

              Contains configuration data  for  ssh-certd.   This
              file  should  be  writable  by root only, but it is
              recommended  (though  not  necessary)  that  it  be
              world-readable.   For  ease of migration from older
              installations, ssh_certd_config contains by default
              the  line  "UseSSHD2ConfigFile sshd2_config", which
              instructs ssh-certd to read the certificate config-
              uration  from  the  sshd2  configuration  file  and
              ignore the options that are not relevant to it.

       ssh-certd is normally run as root.

       Tectia Corporation

       For more information, see http://www.tectia.com.

       ssh_certd_config(5), sshd2(8)